Researchers have continuously shown that even the largest cryptocurrency and blockchain platforms often suffer from severe security vulnerabilities – that is despite being worth billions of dollars. So if you’re looking to make a quick buck with your extraordinary pentesting skills, you might want to take a cue from this researcher who found a series of bugs in trending blockchain solution EOS.
After a thorough analysis of the technology, Dutch ethical hacker Guido Vranken found several vulnerabilities in the EOS network which entitled him to a hefty $120,000 reward from the company’s bug bounty program.
Thank you. A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week.
— Guido Vranken (@GuidoVranken) June 4, 2018
Vranken says he discovered 11 confirmed bugs in the EOS software last week. The HackerOne report reveals that the hacker has already received $90,000 in bounty payments from EOS parent company Block.one for nine different bugs he found in the system.
According to Vranken, the total amount owed to him comes close to $120,000 and the rewards are still pouring in. He has also previously reported bugs to Ethereum, Ripple, and Stellar.
Indeed, Vranken says that EOS purportedly offered him a position in the company shortly after he reported his discovery.
EOS has received widespread criticism for the lack of product development and the security glitches in spite of raising $4 billion in a year-long initial coin offering (ICO). John Oliver, the host of the popular HBO show Last Week Tonight called EOS “a software startup that doesn’t plan to sell any software.”
Just last week, Chinese internet security company, Qihoo 360 found a series of high-risk vulnerabilities with EOS before the network’s mainnet launch on June 2, 2018.
Qihoo 360 said that Block.One has promised to hold off EOS mainnet launch until the vulnerabilities are eliminated, but the company went ahead with the launch anyway stating that all the bugs will be fixed by the time of the launch. Reports have since indicated that days after the official launch, the EOS blockchain is still not fully up and running.
It is not yet known whether the bugs pointed out by Vranken have been fixed or not. But if you are a startup with $4 billion in your account, you can probably afford to keep paying developers to find and fix bugs.
Update 03:49 PM GMT, June 6, 2018: Vranken told us that EOS has since fixed the bugs in question following his report. Here’s what he had to say:
The EOS people are very appreciative of my efforts. Reported bugs were quickly analyzed and fixed in their public repository. At first the process was very ad-hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on HackerOne which I think is in the best interest of both bug finders and the EOS team.
He further noted that – contrary to some criticism on Reddit – he was perfectly happy with the $10,000 per bug bounty he received.